diff options
author | John Johansen <john.johansen@canonical.com> | 2010-07-29 17:48:02 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-08-02 01:38:36 -0400 |
commit | 736ec752d95e91e77cc0e8c97c057ab076ac2f51 (patch) | |
tree | 128d330ecff67c5d83862062825b7975c92fee96 | |
parent | 0ed3b28ab8bf460a3a026f3f1782bf4c53840184 (diff) |
AppArmor: policy routines for loading and unpacking policy
AppArmor policy is loaded in a platform independent flattened binary
stream. Verify and unpack the data converting it to the internal
format needed for enforcement.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/apparmor/include/policy_unpack.h | 20 | ||||
-rw-r--r-- | security/apparmor/policy_unpack.c | 703 |
2 files changed, 723 insertions, 0 deletions
diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h new file mode 100644 index 00000000000..a2dcccac45a --- /dev/null +++ b/security/apparmor/include/policy_unpack.h | |||
@@ -0,0 +1,20 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains AppArmor policy loading interface function definitions. | ||
5 | * | ||
6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
7 | * Copyright 2009-2010 Canonical Ltd. | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | */ | ||
14 | |||
15 | #ifndef __POLICY_INTERFACE_H | ||
16 | #define __POLICY_INTERFACE_H | ||
17 | |||
18 | struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns); | ||
19 | |||
20 | #endif /* __POLICY_INTERFACE_H */ | ||
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c new file mode 100644 index 00000000000..eb3700e9fd3 --- /dev/null +++ b/security/apparmor/policy_unpack.c | |||
@@ -0,0 +1,703 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains AppArmor functions for unpacking policy loaded from | ||
5 | * userspace. | ||
6 | * | ||
7 | * Copyright (C) 1998-2008 Novell/SUSE | ||
8 | * Copyright 2009-2010 Canonical Ltd. | ||
9 | * | ||
10 | * This program is free software; you can redistribute it and/or | ||
11 | * modify it under the terms of the GNU General Public License as | ||
12 | * published by the Free Software Foundation, version 2 of the | ||
13 | * License. | ||
14 | * | ||
15 | * AppArmor uses a serialized binary format for loading policy. | ||
16 | * To find policy format documentation look in Documentation/apparmor.txt | ||
17 | * All policy is validated before it is used. | ||
18 | */ | ||
19 | |||
20 | #include <asm/unaligned.h> | ||
21 | #include <linux/ctype.h> | ||
22 | #include <linux/errno.h> | ||
23 | |||
24 | #include "include/apparmor.h" | ||
25 | #include "include/audit.h" | ||
26 | #include "include/context.h" | ||
27 | #include "include/match.h" | ||
28 | #include "include/policy.h" | ||
29 | #include "include/policy_unpack.h" | ||
30 | #include "include/sid.h" | ||
31 | |||
32 | /* | ||
33 | * The AppArmor interface treats data as a type byte followed by the | ||
34 | * actual data. The interface has the notion of a a named entry | ||
35 | * which has a name (AA_NAME typecode followed by name string) followed by | ||
36 | * the entries typecode and data. Named types allow for optional | ||
37 | * elements and extensions to be added and tested for without breaking | ||
38 | * backwards compatibility. | ||
39 | */ | ||
40 | |||
41 | enum aa_code { | ||
42 | AA_U8, | ||
43 | AA_U16, | ||
44 | AA_U32, | ||
45 | AA_U64, | ||
46 | AA_NAME, /* same as string except it is items name */ | ||
47 | AA_STRING, | ||
48 | AA_BLOB, | ||
49 | AA_STRUCT, | ||
50 | AA_STRUCTEND, | ||
51 | AA_LIST, | ||
52 | AA_LISTEND, | ||
53 | AA_ARRAY, | ||
54 | AA_ARRAYEND, | ||
55 | }; | ||
56 | |||
57 | /* | ||
58 | * aa_ext is the read of the buffer containing the serialized profile. The | ||
59 | * data is copied into a kernel buffer in apparmorfs and then handed off to | ||
60 | * the unpack routines. | ||
61 | */ | ||
62 | struct aa_ext { | ||
63 | void *start; | ||
64 | void *end; | ||
65 | void *pos; /* pointer to current position in the buffer */ | ||
66 | u32 version; | ||
67 | }; | ||
68 | |||
69 | /* audit callback for unpack fields */ | ||
70 | static void audit_cb(struct audit_buffer *ab, void *va) | ||
71 | { | ||
72 | struct common_audit_data *sa = va; | ||
73 | if (sa->aad.iface.target) { | ||
74 | struct aa_profile *name = sa->aad.iface.target; | ||
75 | audit_log_format(ab, " name="); | ||
76 | audit_log_untrustedstring(ab, name->base.hname); | ||
77 | } | ||
78 | if (sa->aad.iface.pos) | ||
79 | audit_log_format(ab, " offset=%ld", sa->aad.iface.pos); | ||
80 | } | ||
81 | |||
82 | /** | ||
83 | * audit_iface - do audit message for policy unpacking/load/replace/remove | ||
84 | * @new: profile if it has been allocated (MAYBE NULL) | ||
85 | * @name: name of the profile being manipulated (MAYBE NULL) | ||
86 | * @info: any extra info about the failure (MAYBE NULL) | ||
87 | * @e: buffer position info (NOT NULL) | ||
88 | * @error: error code | ||
89 | * | ||
90 | * Returns: %0 or error | ||
91 | */ | ||
92 | static int audit_iface(struct aa_profile *new, const char *name, | ||
93 | const char *info, struct aa_ext *e, int error) | ||
94 | { | ||
95 | struct aa_profile *profile = __aa_current_profile(); | ||
96 | struct common_audit_data sa; | ||
97 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | ||
98 | sa.aad.iface.pos = e->pos - e->start; | ||
99 | sa.aad.iface.target = new; | ||
100 | sa.aad.name = name; | ||
101 | sa.aad.info = info; | ||
102 | sa.aad.error = error; | ||
103 | |||
104 | return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa, | ||
105 | audit_cb); | ||
106 | } | ||
107 | |||
108 | /* test if read will be in packed data bounds */ | ||
109 | static bool inbounds(struct aa_ext *e, size_t size) | ||
110 | { | ||
111 | return (size <= e->end - e->pos); | ||
112 | } | ||
113 | |||
114 | /** | ||
115 | * aa_u16_chunck - test and do bounds checking for a u16 size based chunk | ||
116 | * @e: serialized data read head (NOT NULL) | ||
117 | * @chunk: start address for chunk of data (NOT NULL) | ||
118 | * | ||
119 | * Returns: the size of chunk found with the read head at the end of the chunk. | ||
120 | */ | ||
121 | static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk) | ||
122 | { | ||
123 | size_t size = 0; | ||
124 | |||
125 | if (!inbounds(e, sizeof(u16))) | ||
126 | return 0; | ||
127 | size = le16_to_cpu(get_unaligned((u16 *) e->pos)); | ||
128 | e->pos += sizeof(u16); | ||
129 | if (!inbounds(e, size)) | ||
130 | return 0; | ||
131 | *chunk = e->pos; | ||
132 | e->pos += size; | ||
133 | return size; | ||
134 | } | ||
135 | |||
136 | /* unpack control byte */ | ||
137 | static bool unpack_X(struct aa_ext *e, enum aa_code code) | ||
138 | { | ||
139 | if (!inbounds(e, 1)) | ||
140 | return 0; | ||
141 | if (*(u8 *) e->pos != code) | ||
142 | return 0; | ||
143 | e->pos++; | ||
144 | return 1; | ||
145 | } | ||
146 | |||
147 | /** | ||
148 | * unpack_nameX - check is the next element is of type X with a name of @name | ||
149 | * @e: serialized data extent information (NOT NULL) | ||
150 | * @code: type code | ||
151 | * @name: name to match to the serialized element. (MAYBE NULL) | ||
152 | * | ||
153 | * check that the next serialized data element is of type X and has a tag | ||
154 | * name @name. If @name is specified then there must be a matching | ||
155 | * name element in the stream. If @name is NULL any name element will be | ||
156 | * skipped and only the typecode will be tested. | ||
157 | * | ||
158 | * Returns 1 on success (both type code and name tests match) and the read | ||
159 | * head is advanced past the headers | ||
160 | * | ||
161 | * Returns: 0 if either match fails, the read head does not move | ||
162 | */ | ||
163 | static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name) | ||
164 | { | ||
165 | /* | ||
166 | * May need to reset pos if name or type doesn't match | ||
167 | */ | ||
168 | void *pos = e->pos; | ||
169 | /* | ||
170 | * Check for presence of a tagname, and if present name size | ||
171 | * AA_NAME tag value is a u16. | ||
172 | */ | ||
173 | if (unpack_X(e, AA_NAME)) { | ||
174 | char *tag = NULL; | ||
175 | size_t size = unpack_u16_chunk(e, &tag); | ||
176 | /* if a name is specified it must match. otherwise skip tag */ | ||
177 | if (name && (!size || strcmp(name, tag))) | ||
178 | goto fail; | ||
179 | } else if (name) { | ||
180 | /* if a name is specified and there is no name tag fail */ | ||
181 | goto fail; | ||
182 | } | ||
183 | |||
184 | /* now check if type code matches */ | ||
185 | if (unpack_X(e, code)) | ||
186 | return 1; | ||
187 | |||
188 | fail: | ||
189 | e->pos = pos; | ||
190 | return 0; | ||
191 | } | ||
192 | |||
193 | static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) | ||
194 | { | ||
195 | if (unpack_nameX(e, AA_U32, name)) { | ||
196 | if (!inbounds(e, sizeof(u32))) | ||
197 | return 0; | ||
198 | if (data) | ||
199 | *data = le32_to_cpu(get_unaligned((u32 *) e->pos)); | ||
200 | e->pos += sizeof(u32); | ||
201 | return 1; | ||
202 | } | ||
203 | return 0; | ||
204 | } | ||
205 | |||
206 | static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name) | ||
207 | { | ||
208 | if (unpack_nameX(e, AA_U64, name)) { | ||
209 | if (!inbounds(e, sizeof(u64))) | ||
210 | return 0; | ||
211 | if (data) | ||
212 | *data = le64_to_cpu(get_unaligned((u64 *) e->pos)); | ||
213 | e->pos += sizeof(u64); | ||
214 | return 1; | ||
215 | } | ||
216 | return 0; | ||
217 | } | ||
218 | |||
219 | static size_t unpack_array(struct aa_ext *e, const char *name) | ||
220 | { | ||
221 | if (unpack_nameX(e, AA_ARRAY, name)) { | ||
222 | int size; | ||
223 | if (!inbounds(e, sizeof(u16))) | ||
224 | return 0; | ||
225 | size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos)); | ||
226 | e->pos += sizeof(u16); | ||
227 | return size; | ||
228 | } | ||
229 | return 0; | ||
230 | } | ||
231 | |||
232 | static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name) | ||
233 | { | ||
234 | if (unpack_nameX(e, AA_BLOB, name)) { | ||
235 | u32 size; | ||
236 | if (!inbounds(e, sizeof(u32))) | ||
237 | return 0; | ||
238 | size = le32_to_cpu(get_unaligned((u32 *) e->pos)); | ||
239 | e->pos += sizeof(u32); | ||
240 | if (inbounds(e, (size_t) size)) { | ||
241 | *blob = e->pos; | ||
242 | e->pos += size; | ||
243 | return size; | ||
244 | } | ||
245 | } | ||
246 | return 0; | ||
247 | } | ||
248 | |||
249 | static int unpack_str(struct aa_ext *e, const char **string, const char *name) | ||
250 | { | ||
251 | char *src_str; | ||
252 | size_t size = 0; | ||
253 | void *pos = e->pos; | ||
254 | *string = NULL; | ||
255 | if (unpack_nameX(e, AA_STRING, name)) { | ||
256 | size = unpack_u16_chunk(e, &src_str); | ||
257 | if (size) { | ||
258 | /* strings are null terminated, length is size - 1 */ | ||
259 | if (src_str[size - 1] != 0) | ||
260 | goto fail; | ||
261 | *string = src_str; | ||
262 | } | ||
263 | } | ||
264 | return size; | ||
265 | |||
266 | fail: | ||
267 | e->pos = pos; | ||
268 | return 0; | ||
269 | } | ||
270 | |||
271 | static int unpack_strdup(struct aa_ext *e, char **string, const char *name) | ||
272 | { | ||
273 | const char *tmp; | ||
274 | void *pos = e->pos; | ||
275 | int res = unpack_str(e, &tmp, name); | ||
276 | *string = NULL; | ||
277 | |||
278 | if (!res) | ||
279 | return 0; | ||
280 | |||
281 | *string = kmemdup(tmp, res, GFP_KERNEL); | ||
282 | if (!*string) { | ||
283 | e->pos = pos; | ||
284 | return 0; | ||
285 | } | ||
286 | |||
287 | return res; | ||
288 | } | ||
289 | |||
290 | /** | ||
291 | * verify_accept - verify the accept tables of a dfa | ||
292 | * @dfa: dfa to verify accept tables of (NOT NULL) | ||
293 | * @flags: flags governing dfa | ||
294 | * | ||
295 | * Returns: 1 if valid accept tables else 0 if error | ||
296 | */ | ||
297 | static bool verify_accept(struct aa_dfa *dfa, int flags) | ||
298 | { | ||
299 | int i; | ||
300 | |||
301 | /* verify accept permissions */ | ||
302 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | ||
303 | int mode = ACCEPT_TABLE(dfa)[i]; | ||
304 | |||
305 | if (mode & ~DFA_VALID_PERM_MASK) | ||
306 | return 0; | ||
307 | |||
308 | if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK) | ||
309 | return 0; | ||
310 | } | ||
311 | return 1; | ||
312 | } | ||
313 | |||
314 | /** | ||
315 | * unpack_dfa - unpack a file rule dfa | ||
316 | * @e: serialized data extent information (NOT NULL) | ||
317 | * | ||
318 | * returns dfa or ERR_PTR or NULL if no dfa | ||
319 | */ | ||
320 | static struct aa_dfa *unpack_dfa(struct aa_ext *e) | ||
321 | { | ||
322 | char *blob = NULL; | ||
323 | size_t size; | ||
324 | struct aa_dfa *dfa = NULL; | ||
325 | |||
326 | size = unpack_blob(e, &blob, "aadfa"); | ||
327 | if (size) { | ||
328 | /* | ||
329 | * The dfa is aligned with in the blob to 8 bytes | ||
330 | * from the beginning of the stream. | ||
331 | */ | ||
332 | size_t sz = blob - (char *)e->start; | ||
333 | size_t pad = ALIGN(sz, 8) - sz; | ||
334 | int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) | | ||
335 | TO_ACCEPT2_FLAG(YYTD_DATA32); | ||
336 | |||
337 | |||
338 | if (aa_g_paranoid_load) | ||
339 | flags |= DFA_FLAG_VERIFY_STATES; | ||
340 | |||
341 | dfa = aa_dfa_unpack(blob + pad, size - pad, flags); | ||
342 | |||
343 | if (IS_ERR(dfa)) | ||
344 | return dfa; | ||
345 | |||
346 | if (!verify_accept(dfa, flags)) | ||
347 | goto fail; | ||
348 | } | ||
349 | |||
350 | return dfa; | ||
351 | |||
352 | fail: | ||
353 | aa_put_dfa(dfa); | ||
354 | return ERR_PTR(-EPROTO); | ||
355 | } | ||
356 | |||
357 | /** | ||
358 | * unpack_trans_table - unpack a profile transition table | ||
359 | * @e: serialized data extent information (NOT NULL) | ||
360 | * @profile: profile to add the accept table to (NOT NULL) | ||
361 | * | ||
362 | * Returns: 1 if table succesfully unpacked | ||
363 | */ | ||
364 | static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) | ||
365 | { | ||
366 | void *pos = e->pos; | ||
367 | |||
368 | /* exec table is optional */ | ||
369 | if (unpack_nameX(e, AA_STRUCT, "xtable")) { | ||
370 | int i, size; | ||
371 | |||
372 | size = unpack_array(e, NULL); | ||
373 | /* currently 4 exec bits and entries 0-3 are reserved iupcx */ | ||
374 | if (size > 16 - 4) | ||
375 | goto fail; | ||
376 | profile->file.trans.table = kzalloc(sizeof(char *) * size, | ||
377 | GFP_KERNEL); | ||
378 | if (!profile->file.trans.table) | ||
379 | goto fail; | ||
380 | |||
381 | profile->file.trans.size = size; | ||
382 | for (i = 0; i < size; i++) { | ||
383 | char *str; | ||
384 | int c, j, size = unpack_strdup(e, &str, NULL); | ||
385 | /* unpack_strdup verifies that the last character is | ||
386 | * null termination byte. | ||
387 | */ | ||
388 | if (!size) | ||
389 | goto fail; | ||
390 | profile->file.trans.table[i] = str; | ||
391 | /* verify that name doesn't start with space */ | ||
392 | if (isspace(*str)) | ||
393 | goto fail; | ||
394 | |||
395 | /* count internal # of internal \0 */ | ||
396 | for (c = j = 0; j < size - 2; j++) { | ||
397 | if (!str[j]) | ||
398 | c++; | ||
399 | } | ||
400 | if (*str == ':') { | ||
401 | /* beginning with : requires an embedded \0, | ||
402 | * verify that exactly 1 internal \0 exists | ||
403 | * trailing \0 already verified by unpack_strdup | ||
404 | */ | ||
405 | if (c != 1) | ||
406 | goto fail; | ||
407 | /* first character after : must be valid */ | ||
408 | if (!str[1]) | ||
409 | goto fail; | ||
410 | } else if (c) | ||
411 | /* fail - all other cases with embedded \0 */ | ||
412 | goto fail; | ||
413 | } | ||
414 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | ||
415 | goto fail; | ||
416 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
417 | goto fail; | ||
418 | } | ||
419 | return 1; | ||
420 | |||
421 | fail: | ||
422 | aa_free_domain_entries(&profile->file.trans); | ||
423 | e->pos = pos; | ||
424 | return 0; | ||
425 | } | ||
426 | |||
427 | static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) | ||
428 | { | ||
429 | void *pos = e->pos; | ||
430 | |||
431 | /* rlimits are optional */ | ||
432 | if (unpack_nameX(e, AA_STRUCT, "rlimits")) { | ||
433 | int i, size; | ||
434 | u32 tmp = 0; | ||
435 | if (!unpack_u32(e, &tmp, NULL)) | ||
436 | goto fail; | ||
437 | profile->rlimits.mask = tmp; | ||
438 | |||
439 | size = unpack_array(e, NULL); | ||
440 | if (size > RLIM_NLIMITS) | ||
441 | goto fail; | ||
442 | for (i = 0; i < size; i++) { | ||
443 | u64 tmp = 0; | ||
444 | int a = aa_map_resource(i); | ||
445 | if (!unpack_u64(e, &tmp, NULL)) | ||
446 | goto fail; | ||
447 | profile->rlimits.limits[a].rlim_max = tmp; | ||
448 | } | ||
449 | if (!unpack_nameX(e, AA_ARRAYEND, NULL)) | ||
450 | goto fail; | ||
451 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
452 | goto fail; | ||
453 | } | ||
454 | return 1; | ||
455 | |||
456 | fail: | ||
457 | e->pos = pos; | ||
458 | return 0; | ||
459 | } | ||
460 | |||
461 | /** | ||
462 | * unpack_profile - unpack a serialized profile | ||
463 | * @e: serialized data extent information (NOT NULL) | ||
464 | * | ||
465 | * NOTE: unpack profile sets audit struct if there is a failure | ||
466 | */ | ||
467 | static struct aa_profile *unpack_profile(struct aa_ext *e) | ||
468 | { | ||
469 | struct aa_profile *profile = NULL; | ||
470 | const char *name = NULL; | ||
471 | int error = -EPROTO; | ||
472 | kernel_cap_t tmpcap; | ||
473 | u32 tmp; | ||
474 | |||
475 | /* check that we have the right struct being passed */ | ||
476 | if (!unpack_nameX(e, AA_STRUCT, "profile")) | ||
477 | goto fail; | ||
478 | if (!unpack_str(e, &name, NULL)) | ||
479 | goto fail; | ||
480 | |||
481 | profile = aa_alloc_profile(name); | ||
482 | if (!profile) | ||
483 | return ERR_PTR(-ENOMEM); | ||
484 | |||
485 | /* profile renaming is optional */ | ||
486 | (void) unpack_str(e, &profile->rename, "rename"); | ||
487 | |||
488 | /* xmatch is optional and may be NULL */ | ||
489 | profile->xmatch = unpack_dfa(e); | ||
490 | if (IS_ERR(profile->xmatch)) { | ||
491 | error = PTR_ERR(profile->xmatch); | ||
492 | profile->xmatch = NULL; | ||
493 | goto fail; | ||
494 | } | ||
495 | /* xmatch_len is not optional if xmatch is set */ | ||
496 | if (profile->xmatch) { | ||
497 | if (!unpack_u32(e, &tmp, NULL)) | ||
498 | goto fail; | ||
499 | profile->xmatch_len = tmp; | ||
500 | } | ||
501 | |||
502 | /* per profile debug flags (complain, audit) */ | ||
503 | if (!unpack_nameX(e, AA_STRUCT, "flags")) | ||
504 | goto fail; | ||
505 | if (!unpack_u32(e, &tmp, NULL)) | ||
506 | goto fail; | ||
507 | if (tmp) | ||
508 | profile->flags |= PFLAG_HAT; | ||
509 | if (!unpack_u32(e, &tmp, NULL)) | ||
510 | goto fail; | ||
511 | if (tmp) | ||
512 | profile->mode = APPARMOR_COMPLAIN; | ||
513 | if (!unpack_u32(e, &tmp, NULL)) | ||
514 | goto fail; | ||
515 | if (tmp) | ||
516 | profile->audit = AUDIT_ALL; | ||
517 | |||
518 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
519 | goto fail; | ||
520 | |||
521 | /* path_flags is optional */ | ||
522 | if (unpack_u32(e, &profile->path_flags, "path_flags")) | ||
523 | profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED; | ||
524 | else | ||
525 | /* set a default value if path_flags field is not present */ | ||
526 | profile->path_flags = PFLAG_MEDIATE_DELETED; | ||
527 | |||
528 | if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL)) | ||
529 | goto fail; | ||
530 | if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL)) | ||
531 | goto fail; | ||
532 | if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL)) | ||
533 | goto fail; | ||
534 | if (!unpack_u32(e, &tmpcap.cap[0], NULL)) | ||
535 | goto fail; | ||
536 | |||
537 | if (unpack_nameX(e, AA_STRUCT, "caps64")) { | ||
538 | /* optional upper half of 64 bit caps */ | ||
539 | if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL)) | ||
540 | goto fail; | ||
541 | if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL)) | ||
542 | goto fail; | ||
543 | if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL)) | ||
544 | goto fail; | ||
545 | if (!unpack_u32(e, &(tmpcap.cap[1]), NULL)) | ||
546 | goto fail; | ||
547 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
548 | goto fail; | ||
549 | } | ||
550 | |||
551 | if (unpack_nameX(e, AA_STRUCT, "capsx")) { | ||
552 | /* optional extended caps mediation mask */ | ||
553 | if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL)) | ||
554 | goto fail; | ||
555 | if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL)) | ||
556 | goto fail; | ||
557 | } | ||
558 | |||
559 | if (!unpack_rlimits(e, profile)) | ||
560 | goto fail; | ||
561 | |||
562 | /* get file rules */ | ||
563 | profile->file.dfa = unpack_dfa(e); | ||
564 | if (IS_ERR(profile->file.dfa)) { | ||
565 | error = PTR_ERR(profile->file.dfa); | ||
566 | profile->file.dfa = NULL; | ||
567 | goto fail; | ||
568 | } | ||
569 | |||
570 | if (!unpack_u32(e, &profile->file.start, "dfa_start")) | ||
571 | /* default start state */ | ||
572 | profile->file.start = DFA_START; | ||
573 | |||
574 | if (!unpack_trans_table(e, profile)) | ||
575 | goto fail; | ||
576 | |||
577 | if (!unpack_nameX(e, AA_STRUCTEND, NULL)) | ||
578 | goto fail; | ||
579 | |||
580 | return profile; | ||
581 | |||
582 | fail: | ||
583 | if (profile) | ||
584 | name = NULL; | ||
585 | else if (!name) | ||
586 | name = "unknown"; | ||
587 | audit_iface(profile, name, "failed to unpack profile", e, error); | ||
588 | aa_put_profile(profile); | ||
589 | |||
590 | return ERR_PTR(error); | ||
591 | } | ||
592 | |||
593 | /** | ||
594 | * verify_head - unpack serialized stream header | ||
595 | * @e: serialized data read head (NOT NULL) | ||
596 | * @ns: Returns - namespace if one is specified else NULL (NOT NULL) | ||
597 | * | ||
598 | * Returns: error or 0 if header is good | ||
599 | */ | ||
600 | static int verify_header(struct aa_ext *e, const char **ns) | ||
601 | { | ||
602 | int error = -EPROTONOSUPPORT; | ||
603 | /* get the interface version */ | ||
604 | if (!unpack_u32(e, &e->version, "version")) { | ||
605 | audit_iface(NULL, NULL, "invalid profile format", e, error); | ||
606 | return error; | ||
607 | } | ||
608 | |||
609 | /* check that the interface version is currently supported */ | ||
610 | if (e->version != 5) { | ||
611 | audit_iface(NULL, NULL, "unsupported interface version", e, | ||
612 | error); | ||
613 | return error; | ||
614 | } | ||
615 | |||
616 | /* read the namespace if present */ | ||
617 | if (!unpack_str(e, ns, "namespace")) | ||
618 | *ns = NULL; | ||
619 | |||
620 | return 0; | ||
621 | } | ||
622 | |||
623 | static bool verify_xindex(int xindex, int table_size) | ||
624 | { | ||
625 | int index, xtype; | ||
626 | xtype = xindex & AA_X_TYPE_MASK; | ||
627 | index = xindex & AA_X_INDEX_MASK; | ||
628 | if (xtype == AA_X_TABLE && index > table_size) | ||
629 | return 0; | ||
630 | return 1; | ||
631 | } | ||
632 | |||
633 | /* verify dfa xindexes are in range of transition tables */ | ||
634 | static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size) | ||
635 | { | ||
636 | int i; | ||
637 | for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) { | ||
638 | if (!verify_xindex(dfa_user_xindex(dfa, i), table_size)) | ||
639 | return 0; | ||
640 | if (!verify_xindex(dfa_other_xindex(dfa, i), table_size)) | ||
641 | return 0; | ||
642 | } | ||
643 | return 1; | ||
644 | } | ||
645 | |||
646 | /** | ||
647 | * verify_profile - Do post unpack analysis to verify profile consistency | ||
648 | * @profile: profile to verify (NOT NULL) | ||
649 | * | ||
650 | * Returns: 0 if passes verification else error | ||
651 | */ | ||
652 | static int verify_profile(struct aa_profile *profile) | ||
653 | { | ||
654 | if (aa_g_paranoid_load) { | ||
655 | if (profile->file.dfa && | ||
656 | !verify_dfa_xindex(profile->file.dfa, | ||
657 | profile->file.trans.size)) { | ||
658 | audit_iface(profile, NULL, "Invalid named transition", | ||
659 | NULL, -EPROTO); | ||
660 | return -EPROTO; | ||
661 | } | ||
662 | } | ||
663 | |||
664 | return 0; | ||
665 | } | ||
666 | |||
667 | /** | ||
668 | * aa_unpack - unpack packed binary profile data loaded from user space | ||
669 | * @udata: user data copied to kmem (NOT NULL) | ||
670 | * @size: the size of the user data | ||
671 | * @ns: Returns namespace profile is in if specified else NULL (NOT NULL) | ||
672 | * | ||
673 | * Unpack user data and return refcounted allocated profile or ERR_PTR | ||
674 | * | ||
675 | * Returns: profile else error pointer if fails to unpack | ||
676 | */ | ||
677 | struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns) | ||
678 | { | ||
679 | struct aa_profile *profile = NULL; | ||
680 | int error; | ||
681 | struct aa_ext e = { | ||
682 | .start = udata, | ||
683 | .end = udata + size, | ||
684 | .pos = udata, | ||
685 | }; | ||
686 | |||
687 | error = verify_header(&e, ns); | ||
688 | if (error) | ||
689 | return ERR_PTR(error); | ||
690 | |||
691 | profile = unpack_profile(&e); | ||
692 | if (IS_ERR(profile)) | ||
693 | return profile; | ||
694 | |||
695 | error = verify_profile(profile); | ||
696 | if (error) { | ||
697 | aa_put_profile(profile); | ||
698 | profile = ERR_PTR(error); | ||
699 | } | ||
700 | |||
701 | /* return refcount */ | ||
702 | return profile; | ||
703 | } | ||